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The classic approaches to synthesize a reactive system from a linear temporal logic (LTL) specifica- 
tion first translate the given LTL formula to an equivalent o-automaton and then compute a winning 
strategy for the corresponding ©-regular game. To this end, the obtained o-automata have to be 
(pseudo)-determinized where typically a variant of Safra's determinization procedure is used. In 
this paper, we show that this determinization step can be significantly improved for tool implemen- 
tations by replacing Safra's determinization by simpler determinization procedures. In particular, 
we exploit (1) the temporal logic hierarchy that corresponds to the well-known automata hierar- 
chy consisting of safety, liveness, Biichi, and co-Biichi automata as well as their boolean closures, 
(2) the non-confluence property of to-automata that result from certain translations of LTL formu- 
las, and (3) symbolic implementations of determinization procedures for the Rabin-Scott and the 
Miyano-Hayashi breakpoint construction. In particular, we present convincing experimental results 
that demonstrate the practical applicability of our new synthesis procedure. 

1 Introduction 

In formal verification, we have to check for a given implementation ^ and a given LTL property (p 
whether ^ satisfies (p in any environment, which is usually written as |= (p. In the more general 
synthesis problem, we have to check whether an (incomplete) implementatioi|^ ^ can be refined by 
another system (often called a controller) such that a given property (p holds, i.e., whether there exists 
a system such that ^ \= (p holds. This means that the combined behavior of and ^ satisfies 
(p in any environment. This controller synthesis problem can be naturally viewed as an infinite game 
between the controller and an adversary environment. 

Due to the enormous progress made during the past two decades, the tools used in formal verifica- 
tion can now be applied to real-world problems, and therefore are routinely used in industrial practice. In 
contrast, the so-far known tools for the synthesis of LTL specifications can only be applied to small exam- 
ples which is due to the implementation of these tools: The currently available procedures used in these 
tools consist of two steps: Similar to verification, the first step consists of translating the LTL formula (p 
to an equivalent nondeterministic w-automaton 2t,p. While this automaton 2l(p can be directly used for 
symbolic model checking, it is favorable to have a deterministic automaton for constructing a w-regular 
game from the obtained automaton 2l,p and the incomplete implementation This determinization 
step is the main reason for the high complexity of the synthesis problem for LTL. 

In particular, Safra's construction [23] is often used for this purpose. This construction generates 
for a given Biichi automaton with n states an equivalent deterministic Rabin automaton with 12" ■ n^" 
states and n acceptance pairs. However, Safra's construction is extremely difficult to implement lITTll . 

'it is allowed that consists of only the environment. 
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and unfortunately not amenable to a symbolic implementation. Indeed, a major drawback of Safra's 
construction is that known implementations use an explicit representation of the automata, since the 
states of Safra's automaton consist of trees whose nodes are labeled with sets of states. This is probably 
the main reason why tools for synthesis lack behind (compared to model checking tools that achieved a 
significant breakthrough first by symbolic state space representations, and second by the use of efficient 
SAT solvers). As a consequence, tools for LTL synthesis are still limited to very small formulas with 
only few temporal operators. 

In this paper, we show how we can always replace Safra's determinization procedure by simpler ones 
like the Rabin-Scott subset construction and the Miyano-Hayashi breakpoint construction llT7ll25l . To 
this end, we exploit the membership of the subformulas of a given formula to the classes of the temporal 
logic hierarchy as well as a recently published determinization procedure for non-confluent co-automata 

m. 

The temporal logic hierarchy iQ 1211 has been developed in correspondence to the G)-automata hi- 
erarchy fT?! that has been inspired by the Borel hierarchy known from descriptive set theory. As the 
w-automata hierarchy, the temporal logic hierarchy distinguishes between six different classes (cf. Fig- 
ure [T]) of properties. It is moreover known that each class can be characterized by a deterministic class 
of co-automata that differ in their acceptance conditions as explained in Section 4. 1 While Manna and 
Pnueli's original definition of the hierarchy was a semantic one (meaning a LTL formula belongs to a 
class iff there is an equivalent co-automaton in that class), Schneider [24, 25 1 presented syntactic charac- 
terizations of these classes by means of simple grammars for each of these logics (cf. Figure[2]). Clearly, 
such syntactic characterizations are incomplete (in the sense that an equivalent formula may belong to a 
different class), but they are sufficient for practical use: In general, the membership test given by these 
grammars yields an upper bound of the temporal logic class, and in practice, it often yields the precise 
class, making therefore more expensive tests unnecessary. 

In the following, we will therefore also make use of a syntactic, and therefore incomplete, but more 
efficiently testable definition to come up with a very efficient LTL synthesis procedure. The key idea 
of this procedure is thereby based on the following observation: It is well-known since f5l that for 
every LTL formula of each temporal logic class, there is an equivalent deterministic automaton with 
the corresponding acceptance condition. However, it was previously not recognized that we can avoid 
complex determinization procedures like Safra's one once we can express a given LTL formula as a 
boolean combination of lower class subformulas. 

In fact, by the syntactic representation, each formula in the highest class is already a boolean com- 
bination of co-Biichi properties, so that we can obtain a Safra-less determinization procedure by first 
computing deterministic co-Biichi automata for these subformulas, and then computing the boolean clo- 
sure of the obtained deterministic automata (which is simple as outlined in [25]). The translation of 
the subformulas to symbolically represented non-deterministic co-Buchi automata has been presented 
in detail in Il24ll25l . and their determinization can be performed using the Miyano-Hayashi breakpoint 
construction llT7ll25l . We can even improve this procedure by determining tighter classes like safety and 
liveness properties so that even the Rabin-Scott subset construction is sufficient for the determinization. 

The second major ingredient of our efficient synthesis procedure are symbolic determinization con- 
structions we have developed in [19| for the Rabin-Scott subset construction ll22ll and the Miyano- 
Hayashi breakpoint construction: For a given symbolically represented nondeterministic automaton, we 
directly construct symbolic descriptions of the corresponding deterministic automata. Although we can 
not avoid one exponential step (namely the enumeration of the reachable states of the nondeterministic 
automaton), we achieved that the symbolic description of the deterministic automaton can be obtained 
without building it explicitly. Thus, we avoid the enumeration of the exponentially larger state space of 
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the deterministic automaton. 

Thus, we are able to translate every formula of the temporal logic hierarchy to an equivalent deter- 
ministic G)-automaton. Due to results of 15], one can translate every LTL formula to a formula contained 
at least in the highest class of this hierarchy. However, all known such translations require a determiniza- 
tion step, and therefore, they are not useful for our purpose. Thus, we currently have the restriction 
that the given LTL formulas must already syntactically belong to one of the classes of the hierarchy. In 
practice, we found that this is almost always the case (in more than 95% in our benchmarks), and in 
some other cases, it was not too difficult to rewrite the formula to achieve this membership (checking the 
equivalence of the rewritten LTL formulas is no problem by verification tools). 

To handle the remaining rare cases of formulas that can not be easily rewritten to classes of the 
temporal logic hierarchy, we use as a final ingredient of our synthesis procedure our recently published 
determinization procedure for non-confluent automata lITSll . This procedure can be applied to any given 
LTL formula, provided we use a translation to co-automata that generates non-confluent automata (which 
exists!). 

In this paper, we build upon the mentioned results we developed in our previous work, i.e., we first 
try to decompose a given specification into subformulas that syntactically belong to a class of the tem- 
poral logic hierarchy, and apply symbolic implementations of the Rabin-Scott and the Miyano-Hayashi 
constructions to translate these subformulas to deterministic (0-automata. If this is not directly possible, 
we make use of a simple translation for full LTL to non-confiuent automata so that we can apply our 
recently published determinization procedure l[I8\l . 

Having obtained a deterministic automaton, we use standard automata translations to obtain (gener- 
alized) deterministic parity automata for each subformula which has to be combined in one conjunctive 
generalized parity condition. The obtained generalized parity automaton yields a generalized parity game 
which is solved in the final step of our algorithm using the symbolic algorithm given in [7|. 

The outline of this paper is at follows: after starting with more details on related work (Section [2]l 
and some basic definitions (Section[3]), we explain how we can make use of the temporal logic hierarchy 
(Section|4]l. The second ingredient is the exploitation of the non-confluence property that is explained in 
Section |5] The added value and the core of this paper is the combination of these results in Section |6] to 
obtain an efficient symbolic synthesis procedure for full LTL. We conclude the paper by experimental 
results in Section |71 

2 Related Work 

There are already symbolic implementations of the subset and breakpoint construction |fTl,'2ll. In f2ll, pro- 
cedures are described to compute a symbolically represented nondeterministic automaton from a given 
alternating automaton, i.e., a non-determinization procedure. Although there are some similarities to 
our procedure, non-determinization of alternating automata and determinization of nondeterministic au- 
tomata is different for G)-automata |29|. Closer to our determinization procedure is [1] which generates 
a deterministic automaton for the safety fragment, and thus implements the subset construction. How- 
ever, they also start with an alternating automaton which is then translated to an explicitly represented 
nondeterministic automaton. The nondeterministic automaton is generated on the fly, thus avoiding the 
construction of the whole explicit automaton. However, this step crucially relies on a translation from 
alternating automata to the corresponding nondeterministic automata while our procedure is indepen- 
dent of the previous translation from temporal logic to nondeterministic automata. In particular, it is not 
obvious how the work H] could be generalized to more expressive classes like co-Biichi automata. 
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Since it became clear that the determinization step is the major hurdle in the synthesis of full LTL, 
a recent research trend aims at avoiding determinization by somehow integrating the synthesis proce- 
dure with lightweight 'pseudo' -determinization procedures. In [13|, Kupferman and Vardi present an 
approach that avoids Safra's determinization and goes through universal co-Biichi word and weak alter- 
nating tree automata instead. This approach has been refined in lfT2l to allow compositional synthesis 
or to allow also controller synthesis. A major disadvantage of the approach presented in [ 13] regarding 
controller synthesis is that it suffers from an exponential blowup with respect to the size of the system 
under control, even if this system is deterministic. Our approach avoids this exponential blowup. Job- 
stmann and Bloem developed in ifTOl optimizations for this Safra-less approach and developed the tool 
'Lily'. This tool was the first implementation that is able to synthesize designs that satisfy arbitrary 
LTL specifications. Although Kupferman and Vardi's approach is potentially amenable to a symbolic 
implementation, the tool Lily is implemented explicitly, so that is also limited to small LTL formulas 
only. 

In practice, specifications are not given as a single large formula; instead they consist of several rela- 
tively small subformulas. In 1 27 1, an algorithm for LTL synthesis is presented that assumes that the over- 
all specification is given as a conjunction of LTL formulas. Instead of performing determinization for the 
whole specification, the algorithm generates deterministic automata using the approach of 11211 explicitly. 
Those explicitly represented automata are then encoded symbolically to obtain a generalized parity game 
which is then solved using the generalized parity algorithm given in 1 6 1 . Our algorithm assumes a similar 
setting: We also assume that the specification is a conjunction of LTL formulas. The determinization is 
also performed only on the nondeterministic automata obtained from these small subformulas, and the 
final automaton for the overall specification is obtained by combining the single deterministic automata. 
The main difference is however that we never represent the automata explicitly, so that we expect that 
our algorithm scales much better (unfortunately, the tool mentioned in fT7\ is not publicly available so 
that we can not perform comparisons). 

3 Basic Definitions 

3.1 Linear Temporal Logic 

For a given set of Boolean variables (propositions) Vz, we define the set of LTL formulas by the following 
grammaij^ (p :=Vz \ ^(p \ (pV (p \ X(p \ [(p U (p]. Additionally, we define (p Ay, F(p, G(p, and [(p U y] 
abbreviations for -■(-■<p V -iI/a), [1 U (p], -^f^(p, and [(p U y/] V G(p, respectively. 

To define the semantics of an LTL formula cp, we consider infinite sequences of truth assignments 
to its atomic propositions, i.e., words in (2^^)®. We denote the (/+ l)-th element of w by w,-, i.e., 
w = (wo,wi, . . .). The semantics of LTL formulas is then defined as follows: 

• for p e Vz, we have w, i |= piff p e Wi 

• w,i\= iff w,i^ (p 

• w,i\= (pVxi/iff i 1= (p or w, i |= \\f 

• w,i\= X(p iff w, / + 1 \=(p 

• w, i 1= [(p JJ y] iff there exists k > i such that w,k\=Y and for all j with / < j and j < k, we have 
^We neglect past temporal operators, although these are also available in our framework. 
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For a formula <p and a position j > such that w,j |= (p holds, we say that q) holds at position j of w. If 
w,0\= (p holds, we say that cp holds on w, and write simply w \= (p. 

3.2 cu-Automata on Infinite Words 

Definition 1 (w- Automata). Let Q be a finite set of state variables. Let Vy. be a finite set of input 
variables disjoint from Q that defines an alphabet £ = 2^^. Then, a G)-automaton 21 = (=5^, X , .s/) 
over the alphabet £ is given by a finite set of states y, a set of initial states C y, a transition relation 
^ C ^ X Z X ,y, a labeling function A : — )• 2^ with X{s) 7^ A {s') for s ^ s' ,y and an acceptance 
component si . 

Using standard terminology, we say that 21 is deterministic, if exactly one initial state exists and for each 
s ^ y and each input a G £ there exists exactly one s' ^ y with {s, o,s') G S^. 

The acceptance of a word is defined with respect to the set of runs: Given an automaton 21 = 
{y, J ,Sf.,y, a) and an infinite word a : N I over £. Each infinite word j3 : N ^ with jS^") G 
and Mt. (j8W,aW,j8('+i)) G ^ is called a run of a through 21. The set of all runs of a through 21 is 

defined as follows: We extend the labeling function to runs by defining A (jS ) = A(j3'*'))A(j3''') Note 

that A(j3) is a path over Q, called the trace of j8. Since every trace of a automaton 21 over a word 
a is a path over Q, we can use LTL to specify the acceptance conditions for G)-automata. To sim- 
plify notation, we identify each run with its trace and write j8 |= to mean that A(j8) \=^. Another 
form of acceptance conditions are parity conditions that are conveniently defined by a priority function 
n : — )• {0, 1 , . . . (i — 1 } for some G N. A run is accepted by a parity condition if the minimal priority 
seen infinitely often is even. A generalized (conjunctive) parity condition is given by k priority functions 
and the run is accepted iff it is accepted by each parity condition separately. 

Since the states are uniquely identified by the state variables (we have X(s) ^ X{s') for s ^ s') we 
can represent each state (set) with a propositional formula. Hence, we can already represent the set of 
initial states by a propositional formula (^j; over QWV^. Introducing moreover for each variable p £ Q 
a next-state variable p' allows us to represent also the transition relation by a propositional formula 
overQUVzU{p' \peQ}. 

4 Exploiting the Temporal Logic Hierarchy 
4.1 The Automata Hierarchy 

In the past, several kinds of acceptance conditions have been proposed and their different expressive- 
nesses have been studied in depth. In particular, the following acceptance conditions have been consid- 
ered EOlllllllSl: 

• A run is accepted by a safety condition G(p with a state set <p if the run exclusively runs through 
the set (p. 

• A run is accepted by a liveness condition fcp with a state set cp if the run visits at least one state of 
the set (p at least once. 

• A run is accepted by a Buchi condition GF<p with a state set (p if the run visits at least one state of 
the set (p infinitely often. 

• A run is accepted by a co-Biichi condition FG<p with a state set <p if the run visits only states of the 
set (p infinitely often. 
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DetGF 





Figure 1 : (Borel) Hierarchy of ft)-Automata and Temporal Logic 



The above conditions define the corresponding automaton classes (N)Detc, (N)Detp, (N)DetQp, and 
(N)Detp(^, respectively. Moreover, (N)Detp^gfi^ and (N)Det5^|.gg^^ automata have acceptance conditions 
of the form A^=o G<Py V Fi/Aj and Ay=o ^FiP; V FGi/a^, respectively. 

The expressiveness of these classes is illustrated in Figure [l] where '^i ^ <^2 means that for any 
automaton in ^i, there is an equivalent one in '^2- Moreover, we define ^2 '■= ^'^i 
and "^x ^ '■= ~ "^i)- As can be seen, the hierarchy consists of six different classes, 

and each class has a deterministic representative. 

4.2 The Temporal Logic Hierarchy 

In |l5l|24l|25l, corresponding hierarchies for temporal logics have been defined. Following Il24ll25]| . we 
define the hierarchy of temporal logic formulas syntactically by the grammar rules of Fig. [2| 





Pf::= 


1 -Pf I^gAPg I^gVPg 


1 -Pg IPfAPf IPfVPf 


1 XPg I GPg 


1 XPb 1 FPf 


1 [PgUPg] 


1 [PpUPp] 


-Pprefix "= -Pg -Pp "'Pprefix ' 


Pprefix APprefix Pprefix V Pprefix 


PgF "= Pprefix 


PpG "= Pprefix 


1 -PpG IPgfAPgf IPgfVPgf 


1 -Pgp IPpgAPfg IPpgVPfg 


1 XPgf I GPgf 


1 XPfg I FPfg 


1 [PgfUPgf] I [PgfUPf] 


1 [PpG UP^g] I [Pg UPfg] 


Pstreett "= PgF PpG "'Pstreett 


Pstreett A Pstreett | Pstreett V Pstreett 



Figure 2: Syntactic Characterizations of the Classes of the Temporal Logic Hierarchy 



Definition 2 (Temporal Logic Classes). For K £ {G, F, Prefix, FG, GF, Streett}, we define the logics 
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TLk- by the grammars given in Fig. [2] where TL^: is the set of formulas that can be derived from the 
nonterminal fVi; represents any variable v € Vy.)- 

Typical safety conditions like G(p or G [a U Z?] that state that something bad never happens, are contained 
in TLg- Liveness conditions like F(p are contained in TLp. Finally, fairness conditions like GF(p that de- 
mand that something good infinitely often happens, are contained in TLgf while stabilization/persistence 
properties like FG(p that demand that after a finite interval, nothing bad happens are contained in TLfg- 
In our experience, almost all formulas that occur in practice belong to TLstreett- If ^ given formula 
should not belong to TLstreett. it is often straightforward to rewrite it to an equivalent TLstreett formula. 
For example, the formula GF [Z? U a] that demands that infinitely often [b U a] holds is equivalent to the 
TLstreett formula GF[Z7 U a] V FG [ft U a]. Clearly, there are many formulas outside TLstreett. but we 
claim that these formulas seldom occur in practice. 

4.3 Relating the Temporal Logic and the Automata Hierarchy 

In Il24ll25l several translation procedures are given to translate formulas from TL^- to equivalent (N)Det^ 
automata. In particular, the following is an important result: 

Theorem 1 (Temporal Logic and Automaton Hierarchy). Given a formula <I> G TL^-, we can construct a 
deterministic (0-automaton 21 = {2^,^^ of the class Det^ in time 0(21*') with \Q\ < 21*' state 

variables. Therefore, ^ = {2^,.^ ,M,X,£/) is a symbolic representation of a deterministic automaton 
with 0(2^^*') states. 

The above results are already proved in detail in ||25! . where translation procedures from TL^- to NDet^- 
have been constructed. Moreover, it has been shown in ||25]| that the subset construction can be used to 
determinize the automata that stem from the classes TLg and TLp and that the Miyano-Hayashi break- 
point construction is sufficient to determinize the automata that stem from the translation of formulas 
from TLpG and TLgf- 

Since TLprefix and TLstreett are the boolean closures of TLg U TLf and TLfg U TLgf, respectively, 
the remaining results for TLprefix and TLstreett follow from the boolean combinations of DetG/DetF and 
DetFG/DetGF, respectively. 

The final step consists of computing the boolean closure of the acceptance conditions. To this end, 
it is shown in ll25l how arbitrary boolean combinations of Gcp and F(p with propositional formulas <p 
are translated to equivalent Detprefix automata, and analogously, how arbitrary boolean combinations of 
GF9 and FG<p with propositional formulas 9 are translated to equivalent Detstreett automata. 

5 Exploiting the Non- Confluence Property 

It is well-known that the a)-automata that stem from LTL formulas are a special class that has already 
found several characterizations. Due to results of |T5 ], the automata can be characterized as non-counting 
automata, and in terms of alternating automata, the class of linear weak or very weak automata has been 
defined | fT6l l20ll . Moreover, many translation procedures from LTL generate unambiguous automata 
HI where every accepted word has a unique accepting run ||25]| (although there may be additional non- 
accepting runs for the same word). The determinization procedure presented in this chapter makes use 
of the fact that the automata generated from LTL are unambiguous. Without useless states, the transition 
relation of an unambiguous automaton has a certain form that we call non-confluence: 

An automaton is non-confluent if whenever two runs of the same inflnite word meet 
at a state q, then they must share the entire finite prefix up to state q. 
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Figure 3: Nondeterministic Automaton for [cp U y] 







Figure 4: Run Tree with a Uniquely Determined Infinite Run 



To give an intuitive idea why the automata constructed from LTL formulas by the 'standard transla- 
tion' procedure are non-confluent, consider the automaton of Figure |3]that is obtained by translating the 
formula [cp ]J to a non-deterministic automaton. As explained in f^ST], the 'standard' translation 
procedure from LTL to G)-automata traverses the syntax tree of the LTL formula in a bottom-up man- 
ner and abbreviates each subformula that starts with a temporal operator. The subformula [cp U y] is 
thereby abbreviated by a new state variable q, and the preliminary transition relation 1% is replaced with 
^A{q^ Y^fpAq'). 

As can be seen by Figure|3} the input (p A demands that the current state is maintained, but allows 
the automaton to be in any of the two states. The other three classes of inputs uniquely determine the 
current state, but leave the successor state completely unspecifiecj^ As a consequence, input words that 
infinitely often satisfy A -^y)^ i-^-' V do only have one (infinite) run, while the remaining 
input words that satisfy (p A^Y from a certain point of time on do have two infinite runs that are of the 
form t,q^ and t,lf^ with the same finite prefix t,. Hence, the automaton is non-confluent, since the two 
runs never merge after they have split. 

An example run tree (that encodes all the runs of a given word) is shown in Fig. [4] It can be seen that 
there is a uniquely determined run, since all other nondeterministic choices lead to finite paths. Another 
example run tree that contains two infinite runs is shown in Figure [5] 

As every automaton 2l,p obtained by the translation of a LTL formula <p is a product of non-confluent 
automata, and as the product automaton of two non-confluent automata is also non-confluent, it follows 
that the automata 2lip obtained by the above 'standard' translation are non-confluent. 

The above non-confluence property has been used in lITSl to develop a determinization procedure 
that exploits symbolic set representations. In particular, it does not rely on Safra trees as used by Safra's 

^According to the Krohn-Rhodes decomposition theorem, automata that stem from LTL properties do only have reset and 
identity inputs 1251 . 
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Figure 5: Run Tree with two Infinite Runs of tfie Automaton of Fig. [3] 



original procedure ll23l or by the improved version of Piterman f2r| . The states of the deterministic 
automata obtained by these procedures are trees of subsets of states of the original automaton. In contrast, 
our procedure generates deterministic automata whose states consist of ^-tuples of subsets of states, 
where n is the number of states of the nondeterministic automaton. 

6 A Symbolic Controller Synthesis Algorithm for Full LTL 

6.1 The Averest Framework 

Averest [26] is a set of tools for the specification, verification, and implementation of reactive systems. 
It includes a compiler and a simulator for synchronous programs, a symbolic model checker, and a tool 
for hardware-software synthesis. Averest can be used for modeling and verifying finite as well as infinite 
state systems at various levels of abstraction. In particular, Averest is not only well-suited for hardware 
design, but also for modeling communication protocols, concurrent programs, software in embedded 
systems, etc. 

The design flow using Averest consists of the following steps: First, the system is described as 
a synchronous program in our language Quartz lf26l . a descendent of Esterel. Then, the program is 
translated to a transition system in the Averest Interchange Format (AIF) using the Quartz compiler. 
This intermediate description can be directly used for verification with the symbolic model checker to 
check whether the system satisfies its specifications. If this is the case, code can be generated for an 
implementation in hardware or software with output formats like VHDL, Verilog or C. 

The compiler contained in Averest does not only compile a Quartz program to a corresponding transi- 
tion system, but also provides procedures to translate LTL and other specification logics to symbolically 
represented ft)-automata. 

The tool implementing the features of this paper is called Opal and extends the current Averest 
compiler to deal with controller synthesis. In the following subsections, the different steps of Opal are 
described in more detail. Opal is implemented in Moscow ML and uses Moscow MLs foreign function 
interface to connect to the BDD-package CUDD. 

6.2 Decomposing Specifications 

Specifications often consist of several relatively simple components - for instance, a collection of LTL 
properties whose conjunction should be satisfied. Thus, we consider specifications of the form <t> = 

Instead of translating the entire specification at once, we generate separate deterministic automata 
for every subformula ^j. Clearly, since we allow any LTL property, we may have to make use of the 
determinization procedure outlined in [18] to translate Oy. For example, this is the case if the top-level 
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operator of (£>j is a temporal operator and <I>y does not belong to one of the lower Borel classes TLgf or 
TLfg. 

In practice, this is however nearly never the case. Instead, most often, also the subformulas are a 
boolean combination of even smaller formulas. Instead of handling them all at once, we break also these 
into smaller parts so that we obtain for every a collection (p\ ...cp^ of LTL properties that all start with 
a temporal operator, and that either belong to one of the classes TLg, TLp, TLgf, TLfg or to none of 
these classes. 

6.3 Handling Safety and Liveness formulas 

Safety formulas (pi are first translated to a nondeterministic safety automaton. Although safety automata 
can not be directly transformed to a parity automaton, it is possible to minimize them using direct sim- 
ulatioij^ After minimization, we perform the ordinary subset construction and afterwards minimize the 
automaton again using the direct simulation relation. However, one important subclass of properties does 
not scale well using this approach. Since many specifications are of the form 'if something now happens, 
in the next step something else happens', we treat this subclass separately. This subclass can be formally 
described by Boolean combinations of formula of the form Xj/ or of the form X(§ where both y and are 
Boolean formulas over the input variables. 

In that case, every X operator doubles the state space of the non-deterministic automaton and thus 
leads to a blow-up in the number of BDD variables of the deterministic automaton. Even worse, the 
simulation relations can neither minimize the nondeterministic nor the deterministic automaton since 
the two states that occur due to an occurrence of Xa can not be equivalent as one of the two will lead 
to a non-satisfying loop. Thus, the basic translation procedure really suffers from a double-exponential 
blowup. Instead, we translate those formulas by abbreviating each variable a that is not under the scope 
of a X operator by a previous variable Op such that ap' o a holds and replace any subformula Xa with a. 

Proposition 1. Given a formula Gcp where (p is a boolean combination of state variables v G Vi: and 
formulas Xv where v G Vy.- Then Q(p is initially equivalent to the symbolically represented deterministic 
automaton 21 = {1^ where Q = {ap \ a G V}U{p}, <I>^ = P /\ AaeVz^'^P' = ^^P) 

and the transition relation is defined by 

0^= /\ap' ^aAp' ^(p' 

aeVz 

Here (p' is obtained from (p by replacing any occurrence of a' with a and any occurrence of a formula 
a G Vwith ap. Moreover ^ : 2^ — >• 2^ is the identity function. 

Obviously, this leads to an automaton that has at most |a| + 1 state variables, thus the automaton is 
only exponential in the size of the specification. Nevertheless, if many subformulas a exist but only little 
subformulas Xa, the ordinary translation may give better results, so that this translation is optional in our 
algorithm. 

For liveness formulas (pi, we translate and dualize the corresponding deterministic safety au- 
tomaton to obtain a deterministic liveness automaton. 

^Indeed, the nondeterministic automata generated by the translation procedures given in [25| translates the safety fragment 
to an automaton with the trivial acceptance condition Gl, so that even the ordinary simulation relation as described in ^SJ could 
be applied. 
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6.4 Handling Co-Buchi and Btichi specifications 

For co-Biichi specifications, we use tiie translation from TLpc to nondeterministic co-Biiciii automata, 
minimize tiiis automaton using the minimization techniques of [9|. Afterwards this automaton is de- 
terminized using the breakpoint construction and again minimized. Btichi specifications are translated 
using the dual deterministic automaton of the formula obtained from negating the formula. 

6.5 Handling LTL Formulas that do not belong to a lower Borel Class 

If a subformula does not belong to one of the lower Borel classes, we have to resort on the deter- 
minization procedure from lITSll . Thus, we first translate to a non-confluent Btichi automaton and 
minimize it. This nondeterministic automaton is determinized using the procedure described in lITSll . 
However, we do not need to construct the whole automaton at once. Instead, we construct the automaton 
for a fixed bound k and check whether every marking of a state has been noticed by a state set. If so, 
we return this automaton, otherwise we do the same with an increased bound. Afterwards, we use the 
minimization techniques of ||9l to minimize the obtained parity automaton. 

Although this procedure gives back a parity automaton that is from a theoretical point of view more 
efficient than a Street automaton, the heavy complexity of determinization makes even this approach 
infeasible in practice. Thus, we break up also the formulas into smaller parts until every subformula 
starts with a temporal operator. Those subformulas are then translated as explained before. It is well 
known that every parity automaton can also be interpreted as a Streett or a Rabin automaton. We thus 
interpret the obtained automaton as a Streett automaton and combine the deterministic Streett automata 
to obtain a Streett automaton for <I>; that is afterwards translated to a generalized parity automaton. 

6.6 Solving Generalized Parity Games 

Instead of solving the whole generalized parity game at once, we first solve the subgames that are ob- 
tained by constructing the game for the subformula Oy. The set of states that are loosing for the controller 
need not be considered in the overall game. Afterwards, we solve the reduced overall game using the 
generahzed parity game algorithm of L6J. 

6.7 Generating Circuits from BDDs 

The output of the generalized parity algorithm is a BDD over the (current state) variables V„, Vc,=^ and 
over newly introduced state variables Vm to encode counter variables that are used to switch between 
the sub-strategies calculated by the generalized parity algorithm. A slight modification of the algorithm 
given in Figures 2 and 3 of [3] allows us to generate for every controllable input variable c a BDD (p^ with 
the meaning that c should hold whenever (pc holds. We then write those BDDs to a file in our Averest 
interchange format. The tool Topaz in our Averest toolset can be used to obtain either Verilog, VHDL or 
C code from the generated file. 

7 Experiments and Conclusion 

This section describes the experiments performed using the controller synthesis algorithm described in 
this paper. To this end, the 23 specifications that come with the Lily tool [10] are used as a benchmark 
set. Those 23 handwritten formulas are mostly traffic light examples or arbiters. 
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No. 


T,B,AP 


subf 





NoncDetT 


OpalDetT 


NoncT 


OpalT 


LilyT 


LI 


12,5,4 


3 


1 


0.59 


0.12 


0.62 


0.14 


0.13 


L2 


12,5,4 


3 


1 


0.64 


0.13 


0.66 


0.16 


0.12 


L3 


12,5,4 


1 


1 


0.71 


0.13 


0.79 


0.16 


0.65 


L4 


16,10,4 


1 


1 


0.72 


0.1 


0.77 


0.15 


1.31 


L5 


20,11,4 


1 


1 


0.72 


0.12 


0.84 


0.2 


0.98 


L6 


18,14,4 


1 


1 


0.71 


0.14 


0.9 


0.2 


1.98 


L7 


16,15,4 


1 


1 


0.74 


0.13 


0.81 


0.19 


0.87 


L8 


4,1,2 


1 


1 


0.01 





0.02 


0.01 


0.07 


L9 


8,6,2 


1 


1 


0.12 


0.03 


0.16 


0.06 


0.22 


LIO 


6,3,2 


1 


1 


0.02 


0.02 


0.02 


0.03 


0.39 


Lll 


4,3,2 


1 


1 


0.17 


0.02 


0.18 


0.03 


0.66 


L12 


5,4,2 


1 


1 


0.21 


0.02 


0.22 


0.03 


0.19 


L13 


4,3,2 


1 


2 


0.01 


0.02 


0.04 


0.04 


0.03 


L14 


9,3,4 


3 


2 


0.01 





0.02 


0.03 


0.26 


L15 


9,5,4 


5 


4 


0.21 


0.03 


0.29 


0.1 


0.18 


L16 


15,9,6 


9 


6 


0.28 


0.04 


0.36 


0.14 


1 


LI 7 


13,5,5 


6 


3 


0.01 





0.05 


0.04 


0.37 


L18 


21,10,7 


10 


4 





0.01 


0.11 


0.11 


1.67 


L19 


10,7,4 


1 




0.25 


0.04 


0.33 


0.14 


2.46 


L20 


17,20,5 


1 




0.11 


0.02 


0.2 


0.11 


4.38 


L21 


40,38,8 


1 




0.29 


0.04 


1.48 


0.32 


8.11 


L22 


22,18,4 


1 




0.32 


0.06 


0.43 


0.12 


9.98 


L23 


8,5,2 


1 




0.09 


0.01 


0.11 


0.03 


0.28 



Figure 6: Experiments performed with different Determinization Constructions 



To analyze the effect of using the all-purpose determinization of ifTF l instead of the much simpler 
breakpoint or subset construction, we performed three different experiments on each of the formulas 
where the runtimes are summarized in Figure |6] The first column lists the identification number of the 
example. The second column gives some measures of the specification in terms of number of temporal 
operators, boolean operators, and the number of input variables. The third column gives the number 
of subformulas, i. e. the number of top-level conjunctions. The conjunction of those formula form the 
overall specification. Notice that the number of boolean operators do not include the top-level conjuncts. 
The next column indicates how many subformulas are not safety formula^ The next two columns give 
the time for determinization followed by the overall time needed to synthesize the specification. 

Algorithm Opal uses all optimizations. Every formula is translated with the lowest possible deter- 
minization procedure. In contrast, algorithm None translates every formula that is not a safety formula 
with the all-purpose determinization construction of 1.18,1 . Finally, the last column gives the running time 
of the Lily algorithm. 

As it can be seen, using '"easier"' determinization procedures like the Rabin-Scott subset construc- 



^In the considered experiments, any subformula is at least contained in tlie BUclii or co-Biichi class so that we obtain a 
formula of the temporal logic hierarchy. 
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tion or the Miyano-Hayashi breakpoint construction significantly improves the determinization step it- 
self. When the size of the specification grows as in examples L20-L23, the overall synthesis time is no 
longer dominated by the determinization, but instead by the time to solve the generalized parity game. 
In that case using the easier determinization procedures leads to smaller sized automata and thus also to 
an improvement on the overall synthesis time. With the exception of the small specifications LI and L2, 
our tool is significantly faster compared to the exphcitly implemented tool Lily. 
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